Announcement Announcement Module
Collapse
No announcement yet.
Can we define Custom Spel function in @PostFilter annotation? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can we define Custom Spel function in @PostFilter annotation?

    Hi to all

    I have a simple question.

    I read that is possible to define custom bean that extend SecurityExpressionRoot.

    In this class i can add some custom method. hasConv() for example

    Then i must define a:

    Code:
    public class MyMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler implements MethodSecurityExpressionHandler  {
    	 @Override
    	   protected SecurityExpressionRoot createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
    	  MyMethodSecurityExpressionRoot root = new MyMethodSecurityExpressionRoot(authentication);
    	         //root.setThis(invocation.getThis());
    	         root.setPermissionEvaluator(getPermissionEvaluator());
    	         return root;
    	   }
    	}

    And then the xml configuration:
    Code:
     <security:global-method-security pre-post-annotations="enabled" mode="aspectj">
         
         <security:expression-handler ref="expressionHandler"/>
     </security:global-method-security>
     
       <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
            <property name="permissionEvaluator" ref="permissionEvaluator"/>
        </bean>
        
       <bean id="permissionEvaluator"
              class="org.springframework.samples.petclinic.StorytellingPermissionEvaluator">
        </bean>
    In StorytellingPermissionEvaluator i have standard hasPermission method.

    With @PreAuthorize i can evaluate without any problem the function defined above: @PreAuthorize( hasConv(..))

    With @PostFilter instead the expression seems to be evaluated but i had a classcastexception in DefaultMethodSecurityExpressionHandler class at:

    Code:
     @SuppressWarnings("unchecked")
        public Object filter(Object filterTarget, Expression filterExpression, EvaluationContext ctx) {
            MethodSecurityExpressionRoot rootObject = (MethodSecurityExpressionRoot) ctx.getRootObject().getValue();
    miss something?

    Is there an alternative way, more simple, to achieve the same objective?

    Thanks in advance.

    IlPistolero

  • #2
    Does MyMethodSecurityExpressionRoot extend MethodSecurityExpressionRoot? This may be problematic since it is default scope, but in newer versions of Spring Security you can implement MethodSecurityExpressionOperations.

    Comment

    Working...
    X